Conti Group Takes Advantage of Vulnerable Exchange Servers

Fraud Management & Cybercrime
Governance & Risk Management
Patch Management

Pondurance: Ransomware Group Used Backdoors That Persist

Conti Group Takes Advantage of Vulnerable Exchange Servers

Some patched on-premises Microsoft Exchange email servers are still proving to be vulnerable. The Conti ransomware group is now leveraging backdoors that persist, cybersecurity consulting firm Pondurance reports.

See Also: Live Panel | How Organizations Should Think About Zero Trust

“Despite patching, thousands of devices might still be compromised,” Pondurance researchers say. Conti apparently is attacking organizations that mitigated the Exchange flaws first exploited by Chinese attackers but failed to identify and remove the already-installed backdoor access, researchers say.

On March 4, Microsoft issued emergency patches for four vulnerabilities in certain versions of its on-premises Exchange email servers (see: Microsoft Exchange: Server Attack Attempts Skyrocket).

China Accused

In July, the Biden administration formally accused a group working for China’s Ministry of State Security of carrying out a series of attacks against vulnerable Microsoft Exchange email servers earlier this year that affected thousands of organizations in the U.S. and internationally.

Last week, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technology, explained that the U.S. has not sanctioned China for its aggressive cyber actions because it’s first attempting to build an international consensus on how to react.

Meanwhile, Chinese advanced persistent threat groups have been found exploiting flaws in Microsoft Exchange servers to compromise networks of telecommunication providers across Southeast Asia to harvest customers’ sensitive communications.

The Latest Findings

The Pondurance researchers identified one case in which an on-premises Exchange server had an unauthorized and abused remote monitoring and management agent installed.

“The unauthorized RMM tool remained present on the victim machine for approximately four months and granted the ability for remote interaction with the victim machine,” Pondurance says. “In July, the RMM tool was used by outside actors to install additional malicious frameworks, including Cobalt Strike. The resulting actions concluded with the installation of Conti ransomware.”

The researchers note that the organization likely patched Exchange without performing due diligence on whether already-installed backdoor access had been removed.

“Pondurance recommends searching for unauthorized ScreenConnect services installed on on-premises Exchange servers that were vulnerable to [the flaw exploit] at some point,” Pondurance says. “These services should be present within the registry and would have generated ‘Service Created’ event logs (event ID 7045) at the time of install in March 2021. You may also find ScreenConnect-related folders created in the filesystem under ‘C:ProgramData,’ ‘C:Program Files (x86),’ and ‘C:WindowsTemp.'”

In March, British clothing and accessory retailer Fat Face paid a $2 million ransom to Conti to unlock its systems after it accessed several files containing sensitive data. The group has also been tied to attacks in the healthcare sector (see: Patient Files Dumped on Darknet Site After Hacking Incidents).

In May, the FBI warned healthcare organizations and first responder networks about Conti ransomware attacks, advising them to take measures to help prevent becoming a victim after a Conti attack on Ireland’s Health Service Executive.

Training Materials Exposed

Meanwhile, a disgruntled Conti affiliate reportedly has leaked key training material from the ransomware group after complaining about the profit split.

Conti, a ransomware-as-a-service operation, hires affiliates to perform network breaches and encrypt devices in exchange for a percentage of ransoms paid.

A security researcher shared a post created by an angry Conti affiliate who publicly leaked information about the ransomware operation, Bleeping Computer reports. That information includes the IP addresses for Cobalt Strike C2 servers and a 113 MB archive containing numerous tools and training material for conducting ransomware attacks, according to the report.

In addition, the affiliate posted on a popular Russian-speaking hacking forum that he had been paid $1,500 as part of an attack, while the gang members made millions, according to the Bleeping Computer report.

Similar Posts